I’ve often wondered how the @null account is guaranteed to have no keys that can access it.

That's the thing. There are no keys, so there's no way to authorize a transaction on behalf of @null account. That's for owner, active, and posting authorities. However, @null has a signing key defined, but this key is a NULL key, so there's no corresponding private key that could match it and sign transaction.

This account (defined in libraries/protocol/include/hive/protocol/config.hpp) is also special,
because it has its balance cleared, see: database::clear_null_account_balance() in libraries/chain/database.cpp